Friday

Nov 2, 2018 at 7:25 PMNov 5, 2018 at 10:56 AM

Long before Florida’s online voter registration system malfunctioned and temporarily throttled back new registrations last month, long before Palm Beach County Supervisor of Elections Susan Bucher called it a glitch-prone “mess” in need of review, Florida’s system for maintaining voter registration records was dogged by reports of serious flaws.

Everything from software security to unauthorized access to voters’ personal information were among the problems cited in Auditor General reports and follow-ups from 2006 through mid-2015.

Last month, Bucher discovered a new problem: Just as Floridians are poised to head to the polls for the most contested midterm elections in recent memory, the state’s brand new online voter registration system crashed.

All of the issues were resolved, said Florida Department of State spokeswoman Sarah Revell, and in any event, "the issues were intermittent"- not a problem with the entire system.

Further, she said, the entire online voting registration program has been “immensely successful since it launched last year and has resulted in more than 78,000 new registered voters.”

There was an unusually high volume of users on the day of the Oct. 9 registration deadline- an estimated 50,000- “and it caused some users to experience issues while others were able to use the site with no problem,” said Revell.

Voter registration, and how those registration records are kept, can be more than a tech-induced headache. When Russian-sponsored hackers tried to worm their way into the elections systems of 21 states in 2016, state-housed voter registration records were prime targets.

That’s because you don’t have to fiddle with the vote-counting software to fiddle with the vote.

Hacks that confuse, delay or block registered voters are every bit as much of a threat as rogue equipment counting those votes.

“You just have to make Election Day chaotic, and particularly if it is in Florida,” said Ion Sancho, former supervisor of elections in Leon County and a nationally-recognized advocate for more secure voting technology.

RELATED: All you need to know about the constitutional amendments on the ballot

Florida’s Department of State, which oversees election systems and houses the state’s sprawling computerized storehouse of ​more than 13 million voter records, told Bucher the new registration system was never fully offline.

As for security, state-of-the-art hardware, software and firewalls keep those records safe, said Revell. And a senior adviser with the U.S. Department of Homeland Security recently wrote to Secretary of State Ken Detzner praising Florida as a leader in election cybersecurity.

"The department has systems in place that are constantly analyzing and flagging potential suspicious activity,” Revell said.

But the online registration glitch follows years of reports by auditors critical of weaknesses in how state voter registration records are secured from prying eyes.

Courting chaos

Meddling in a national election by hacking into vote-counting software is possible, but daunting: Voting is overseen by thousands of different counties and jurisdictions — and about 100,000 polling places — all independent of each other.

Each has its own system and security measures. In many cases, the portion of the system counting ballots is not even connected to the internet.

But an election system is made up of much more than vote-counting equipment.

A key goal of Russian meddling, wrote authors of a declassified version of the U.S. intelligence community’s report on the 2016 attacks, was to undermine public faith in the democratic process.

They weren’t necessarily trying to change votes, investigators concluded. They were trying to sow chaos.

It’s why registration records were on the Russian radar.

“It can cause so much damage if a malicious actor gains access to (voter) registration records, just by changing a few letters of a name or address,” said Danielle Root, voting rights manager with the Center for American Progress, a Washington D.C think tank.

“When a person shows up to the polls, they could be turned away because election officials see the address doesn’t match, or it’s not the right precinct or their name doesn’t match, and then it’s ‘Sorry, we can’t let you vote.’

“It’s a serious, serious issue.”

Hackers almost succeeded in Illinois in 2016, where Russian military officer Anatoliy Kovalev led a team who stole state-housed data on at least 76,000 registered voters, according to both state officials and a July 2018 federal indictment brought by Special Counsel Robert Mueller.

The intrusion was caught prior to election day.

In Florida, Kovalev’s team also was probing county elections websites for weaknesses.

The effort here was not surprising. As the largest swing state, Florida has an outsized role in determining national elections. That, in turn, has made it an outsized target for would-be hackers.

“I think we are probably better suited than any other state in the country” to thwart a cyber attack, said Marion County Supervisor of Elections Wesley Wilcox, who holds a degree in computer science.

That doesn’t mean people won’t try: “What better place to make your name than attacking a state of Florida election?”

And Florida’s voter registration record system has been beset by vulnerabilities from 2006 through at least late 2015.

Early stumbles

Launched as part of the federal Helping America Vote Act in 2006, Florida’s statewide voter registration system holds official records of all Florida registered voters. That data includes such personal information as home addresses, driver’s license numbers and voter signatures.

The original computerized system could provide reports of any attempt to gain access to that voter information without authorization.

But when examiners with the Florida Auditor General took a look, they found nobody at the state was required to check those reports, or even keep records of them.

There were other problems. A formal risk assessment to identify threats to the computerized system — and fix them — hadn’t been completed. A former contract employee still had access to the voter records. Some workers could access voters’ personal registration information even though they had not undergone a comprehensive criminal background check.

No formal security program had been developed.

Two years later, auditors checked in again.

Persistent problems

The computer system was still spitting out reports of unauthorized attempts at access, and there was still no requirement that workers regularly read them. Reports identifying who was trying to get into the system without permission didn’t exist.

Access remained a problem. Two ex-employees — including one who had been gone for months — still had access to voters’ records. Three others who worked temporarily on the system kept access to it after their jobs were done.

Access wasn’t the only issue. There was no disaster plan ensuring the state’s only repository for voter records wouldn’t be lost in, for instance, a fire or a hurricane. Workers were struggling to delete convicted felons from the voter rolls, but there weren’t enough people to do the job. There was little awareness of security requirements and inadequate training, auditors found.

By then, there was a security control program. But auditors found it lacking, citing the need for consistent policies ensuring “minimum security measures” to protect data.

Rebuilding the old, building the new

In 2015, Florida launched what was expected to be a two-year modernization effort to update the voter record system’s hardware and rewrite software.

The same year, the Legislature ordered Florida’s Department of State to create an online voter registration system, another massive undertaking that would have to be up and running in two years, as well.

Also in 2015, auditors weighed in again on concerns originally raised in 2008 about the voter records repository. Though several had been taken care off, new ones had popped up.

There was no routine maintenance schedule for keeping the system up and running.

In one month alone, the system was down for three straight days and out of action for part of another three days.

When maintenance occurred, there were incomplete records of problems found, or the reasons for the problems, or the time it took to fix them or any analysis to see if the problems were part of a pattern.

A state-required disaster plan had not been fully tested since 2011.

An unnamed security risk

Security and access to sensitive voter information remained a headache, too. Workers hired after July 2014 had not received security training, and 14 workers had “inappropriate” levels of access to the voter records.

That was a problem, wrote auditors. “Inappropriate and unnecessary access privileges increase the risk of unauthorized disclosure, modification or destruction of data.”

But it couldn’t be readily fixed: The system used by the state to enter data into the registration database automatically gave any user broad access.

But auditors stopped short of publicly identifying exactly what those gaps were. Doing so might further damage security.

By December 2015, the Department of State reported almost all of the critical findings were being addressed and, if not fully resolved, were being fixed.

For example, overly broad access and disaster plan testing were being solved with a revision to the system’s software and hardware. Maintenance record-keeping rules and analysis were being tightened.

As for the last, unspecified security concern, the department responded that it had "implemented improved security controls.”

Going phishing

Nine months later in September 2016, Detzner’s office — and all 67 county supervisors of elections — got a call from the FBI.

The feds had a nonspecific warning, said Sarah Revell, the department’s spokeswoman. They told Florida there was a need to maintain election security.

Although they never mentioned any specific concerns about Florida, the state was in the crosshairs of Russian hackers, according to the Mueller indictment.

Kovalev, the Russian military agent, had not only been looking for weaknesses in county elections supervisors websites. His group was “spearfishing.”

The scheme: pose as an election vendor and email an attachment to local election officials loaded with a malicious software program — malware.

If they opened the attachment, the malware could spread through the office computer system.

When Tallahassee-based elections company VR Systems Inc. discovered suspicious activity involving their clients, they called the FBI.

Emails bearing VR Systems’ address were being mailed to elections supervisors with instructions to open an attachment.

VR Systems provides voter registration software and hardware, among other tools and services. Its clients include the state as well as multiple county elections offices.

According to a congressional task force, Russians sent fake VR Systems emails to more than 100 elections offices and elections workers trying to get them to open the attachment.

The company said no accounts were compromised.

VR had already spent money on beefing up its own cybersecurity. After the spearfishing expedition, they spent more.

But they didn’t have to, which posed another security concern, a congressional task force concluded.

VR Systems is among a small industry of third-party vendors providing elections officials with tools and services. The companies are completely unregulated at the federal level. That leaves it up to states and local elections supervisors to determine what cybersecurity steps the companies have to take.

In the event of a cyberattack, the state contract did not detail who they were required to tell about a security breach, or when.

Florida is in frequent communication with VR Systems about security, said the Department of State’s Revell. As for the fake Russian emails to Florida elections officials, “There is no evidence that any unauthorized access occurred nor were any potential hacking attempts successful, she said.

"Show them what we are made of"

No one is suggesting that the current problem with online voter registration reflects an attempt to get into the computerized system.

But Bucher questions why the $1.8 million, year-old system wasn’t more rigorously tested.

“They sent us one record” as part of a test, said Bucher, who had her IT experts on hand.

They couldn’t get the record to open.

“We never heard from them again,” she said of the state. The system went live in October 2017.

Problems, she said, popped up just before the primaries, as people tried to register in advance of the election.

Then, the first weekend in October, just days from the deadline to register to vote in this Tuesday’s hotly contested election, online registration plummeted.

Bucher’s office had been averaging 300 to 500 new Palm Beach County online voter registrations a day when on Saturday Oct. 6, that number plunged to one. The next day, just one new voter signed up online.

The day after that, just three did.

The Department of State's Revell emphasized that said the sporadic issues were rapidly resolved.

In counties across the state, the number of new voters registering online shot up, something Revell attributes to the large numbers of people rushing to register or update registrations before the deadline.

The Center for American Progress' Root doesn't downplay voters' concerns raised by technical problems. And the intelligence community has never eased off its warnings that Russians will continue trying to exploit it.

But people should vote anyway, Root said, because one of the goals of Russian hackers was to keep people from casting a ballot to begin with.

"You could be letting these foreign government win by simply not showing up at all," said Root, "and this is a moment in history where we need to show them what we are made of."

pbeall@pbpost.com

@Beall1

Never miss a story

Choose the plan that's right for you.
Digital access or digital and print delivery.